我们的 VoIP 服务器(freeswitch)遭受了“注册”攻击。
在日志中它看起来像这样:
2019-04-25 14:35:16.137965 [WARNING] sofia_reg.c:1743 SIP auth failure (REGISTER) on sofia profile 'internal' for [[email protected]] from ip 77.247.108.59
为此,我们有 Fail2Ban,它应该在 10 次尝试后阻止该 IP。但这行不通。
Fail2Ban 在日志文件中写入许多“找到的”条目。在数千个条目和由于 Fail2Ban 而导致服务器缓慢之后,最后一个条目是“Ban [ip]”:
2019-04-25 14:37:18,961 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:18,994 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,033 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,068 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,114 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:19
2019-04-25 14:37:19,152 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,192 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,232 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,268 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,302 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,345 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,384 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:19,426 fail2ban.filter [2167]: INFO [freeswitch] Found 77.247.108.59 - 2019-04-25 14:35:20
2019-04-25 14:37:20,087 fail2ban.actions [2167]: NOTICE [freeswitch] Ban 77.247.108.59
这是 Fail2Ban 失败还是我配置错误?
监狱本地:
[DEFAULT]
ignoreip = [censored]
ignorecommand = /usr/bin/php /etc/fail2ban/ignorecommands/freeswitch/check.php <ip>
bantime = 86400
findtime = 3600
maxretry = 10
backend = auto
usedns = warn
banaction = iptables-multiport
mta = sendmail
protocol = tcp
chain = INPUT
action_ = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"]
action_mw = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois[name=%(__name__)s, dest="%(destemail)s", protocol="%(protocol)s", chain="%(chain)s", sendername="%(sendername)s"]
action_mwl = %(banaction)s[name=%(__name__)s, port="%(port)s", protocol="%(protocol)s", chain="%(chain)s"] %(mta)s-whois-lines[name=%(__name__)s, dest="%(destemail)s", logpath=%(logpath)s, chain="%(chain)s", sendername="%(sendername)s"]
action = %(action_)s
监狱.d / freeswitch.local:
[freeswitch]
enabled = true
ignoreip = [censored]
ignorecommand = /usr/bin/php /etc/fail2ban/ignorecommands/freeswitch/check.php <ip>
maxretry = 10
findtime = 3600
bantime = 3600
port = 5060,5061,5080,5081
action = %(banaction)s[name=%(__name__)s-tcp, port="%(port)s", protocol="tcp", chain="%(chain)s", actname=%(banaction)s-tcp] %(banaction)s[name=%(__name__)s-udp, port="%(port)s", protocol="udp", chain="%(chain)s", actname=%(banaction)s-udp]
logpath = /var/log/freeswitch/freeswitch.log
过滤器.d/freeswitch.conf
[Definition]
failregex = \[WARNING\] sofia_reg\.c:\d+ SIP auth failure \(REGISTER\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
\[WARNING\] sofia_reg\.c:\d+ SIP auth challenge \(INVITE\) on sofia profile \'[^']+\' for \[.*\] from ip <HOST>$
\[WARNING\] sofia_reg\.c:\d+ Can't find user \[\d+@\d+\.\d+\.\d+\.\d+\] from <HOST>$
\"FAIL2BAN_HOST=<HOST>\"
IP <HOST> Rejected by acl
Debian 9 Fail2Ban v0.10.5.dev1